When a user interacts with certain sites on the Internet such as service providers, which are also referred to as relying parties, the service provider often expects to know something about the user that is requesting the services of the provider. The typical approach for a service provider is to require the user to log into or authenticate to the service provider's computer system. But this approach, while satisfactory for the service provider, is less than ideal for the user.
For example, the user must remember a username and password for each service provider that expects such information. Given that different computer systems impose different requirements, along with the possibility that another user might have already chosen the same username, the user might not be able to use the same username/password combination for each such computer system. There is also the related problem that, if the user uses the same username/password combination on multiple computer systems, someone who hacks one such computer system would likely be able to access other such computer systems.
It is estimated that an average user has over 100 accounts on the Internet. For users, this is becoming an increasingly frustrating problem to deal with. Passwords and account names are too hard to remember. Second, the user typically has no control over how the service provider uses the information it stores. If the service provider uses the stored information in a way the user does not want, for example, the user has relatively little ability to prevent such abuse—and essentially no recourse after the fact.
In the past few years, the networking industry has developed the concept of information cards to tackle these problems. Information cards are a very familiar metaphor for users and the idea is gaining rapid momentum. Information cards allow users to manage their identity information and control how it is released. This gives users greater convenience in organizing their multiple personae, their preferences, and their relationships with vendors and identity providers. Interactions with on-line vendors are greatly simplified.
A typical information card contains claims (e.g., certain pieces of information pertaining to the user's identity). Claims usually include, but are not limited to, the user's first name, last name, street address, city, state, zip code, email address, home phone number, office phone number, and mobile number.
There are currently two kinds of information cards: personal cards (or self-issued cards) and managed cards (or cards that are issued by an identity provider (IdP) or security token service (STS)). A personal card contains self-asserted identity information. In other words, the person issues the card and is the authority for the identity information it contains. In contrast, the managed card is issued by an identity provider, which provides the identity information and asserts its validity.
When a relying party requests identity information from the user, a tool known as an identity selector or card selector can assist the user in selecting an appropriate information card. For example, the card selector can present to the user one or more information cards that satisfy a given security policy and claim requirements of the relying party. When a managed card is selected, the card selector can communicate with the identity provider to obtain a security token that contains the needed information.
While information card technologies are becoming more widespread in applications, there remain certain problems for which no adequate solutions currently exist. For example, while certain information card claims are static (such as last name, for example), it is not uncommon for a user to have multiple email addresses. Current implementations of card selectors require users to maintain multiple information cards, one for each minor customization of the claim values.
Because the user must maintain multiple instances of the same static data across multiple information cards, a simple change of address or phone number, for example, requires the user to update multiple information cards. This can be a very cumbersome, time-consuming, ineffiecient process. The user also assumes a risk of using outdated information if he or she neglects to make the pertinent change(s) in a particular information card before using it.
Thus, there remains a need for a way to address these and other problems associated with the prior art.